The present invention relates to systems and techniques for authenticating users submitting requests from client computers for services/resources provided by server computers executing distributed applications.
In a typical computer network configuration, client computers interconnected by the computer network transmit user requests to access services/resources provided by server computers connected to the network. Such server computers typically include data processing agents, which execute applications for processing the user requests and providing the requested services/resources to the client computers. These applications may be executed on a single data processing agent to provide at least one service/resource to the client computers. Alternatively, these applications may be distributed such that portions of the distributed application are executed on respective data processing agents included in the server computer. As a result, each respective data processing agent may be used for providing specific services/resources to the client computers.
One drawback of server computers, whether they execute distributed or non-distributed applications, is that they typically have no knowledge about the user's right to access requested services/resources. This can be problematic because applications executing on server computers often provide different services/resources depending upon the user's level of access privileges.
For example, a user of a client computer with a particular level of access privileges may or may not have access to, e.g., specific files, directories, databases, web pages, and/or other computer services/resources provided by the application. It is therefore desirable to authenticate users submitting requests from client computers to ensure that they have the requisite levels of access privileges for accessing the requested files, directories, databases, web pages, and/or other computer services/resources. In this way, unauthorized users can be prevented from accessing restricted services/resources on the computer network, and the security of the computer network can be maintained.
One technique for authenticating users includes receiving a user request from a client computer at a server computer for a service/resource provided by an application resident on the server computer; and, in response to that request, transmitting a message from the server computer to the client computer informing the client computer of what it must do to authenticate the user. For example, that message might inform the client computer that in order to authenticate the user it must provide a valid USERNAME/PASSWORD combination. In response to that message, the user enters the required USERNAME/PASSWORD combination at the client computer. Another user request is then received at the server computer from the client computer including the entered USERNAME/PASSWORD combination. In response to that request, the USERNAME is located in, e.g., a stored access control list; the PASSWORD corresponding to the USERNAME is verified; and, if the USERNAME/PASSWORD combination is found valid, a stored level of access privileges is retrieved for that user. Finally, the application executing on the server computer provides the user of the client computer with the requested services/resources according to that user's level of access privileges.
The above-described technique of authenticating users can be implemented on a server computer with a single data processing agent executing a non-distributed application that requires knowledge of the user's access privilege level. However, this technique has drawbacks when implemented on a server computer with a plurality of data processing agents executing a distributed application because it has no mechanism for providing the user's access privilege level to the application executing on the plurality of agents.
It would therefore be desirable to have a system and technique for authenticating users submitting requests from client computers to a server computer executing a distributed application. It would also be desirable to have such systems and techniques for authenticating users that minimize the overall time required for performing user authentication.